XSS (Cross Site Scripting)

Is XSS only a vulnerability in web apps where a legitimate user has to enter login credentials to access areas of the application, or can it be evident in applications where the user does not require login details and can access any area of the appliaction without any authentication / access control?

XSS has nothing to do with credentials/authentication/access control
but can be used to steel credentials and bypass access controls
XSS is always a vulnerability in the web application and/or the data the web application delivers to the browser (in case of persistent XSS).

Simply said: an XSS vulnerability allows for malicious client side script execution. What this script does in the context of that web application is only limited by the attackers imagination.
The main sources for XSS vulnerabilities are improper input and output sanitization, so the attacker can inject his code.
This can be in stored content, injected in fields, URL parameters, ...